We are trying to lock down a Terminal Server, and want to remove a commercial package's ability to accept UNC file paths, ie. paths in the app can then only be entered using the windows drive letters.
Is there any way to do this in Windows?
Can we disallow UNC paths for just the app?
Can we disallow UNC paths for the entire Terminal Server session?
The intention is to allow the application to only write to certain directories (as mapped in the Terminal Server session). The aim is to prevent the output of files to directories that the users have access to, but are not mapped in the Terminal Server session.
Look in the GPO under User Configuration>Administrative Templates>Start Menu and Task Bar>Remove Run menu from Start Menu (enabled or disabled?).
This prevents the user from entering in a unc path in IE address bar if enabled
According to windowsitpro.com,
You must edit the NoRun value (of type
DWORD) in the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
or
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
registry subkey.
http://windowsitpro.com/Articles/Print.cfm?ArticleID=25421
But as Richard said, this is more of a serverfault.com question.
Related
I have an sideloaded UWP application where I want to do automatic updates via a UNC path.
My application is able to download the updates by itself into C:\Users\<username>\AppData\Roaming\somerandomfolder
However it seems, that the automatic update mechanism does not handle system variables:
When entering %appdata%\somerandomfolder, it says: "Path has to begin with https:// or \\"
When entering C:\%appdata%\somerandomfolder (which leads to the same path as above when entered in Explorer), VisualStudio accepts the path, however instead of using the correct path, it creates a folder %appdata% at C:\
Is there a way to enter an update path for sideload updates without knowing the exact username?
Thanks in advance
Where is in the registry the path executed when I run the "notepad" command in windows "Start->run command" interface? I want to change it for notepad++ (it is required so, although could look not really good)
If you are like me you use windows run command all the time. I hate using the mouse to point and click a shortcut on the start menu. WIN-R are probably the two most over used keys on my keyboard. After thinking about if awhile I hunted down how the run command works. It turns out that it makes a call to ShellExecute, which I guess is not too surprising. The next thing I wanted to find out was exactly how the commands are resolved. The following is an ordered list of how they are resolved ([1]):
The current working directory
The Windows directory (no subdirectories are searched)
The Windows\System32 directory
Directories listed in the PATH environment variable
The App Paths registry key
Naturally the next thing I wanted to do was customize existing commands or add new commands so I do not have to type as much (standard lazy approach). After examining my options which were to put the executable in one of those paths (since it only locates executables and not shortcuts), modify the path environment variable or add a key to App Paths. The App Paths option seems to be the easiest and most flexible to me. Here is a layout of what you need to do to add an App Paths entry ([1]):
HKEY_LOCAL_MACHINE-->
SOFTWARE-->
Microsoft-->
Windows-->
CurrentVersion==>
App Paths-->
file.exe-->
(Default) = The fully-qualified path and file name
Path = A semicolon-separated list of directories
DropTarget = {CLSID}
Disclaimer: Modifying the registry can cause serious problems that may require you to reinstall your operating system. I cannot guarantee that problems resulting from modifications to the registry can be solved. Use the information provided at your own risk.
The minimum needed to add a new entry is to add the key file.exe where file is the string you want to type into the run command and to add the Default entry which is the fully-qualified path to the file you want to execute. Note that even it the file you are going to reference isn't an exe file you still need to put the .exe on the key. Here is a sample registry file that I created to add a shorter keyword for Internet Explorer:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App
Paths\ie.exe] #="C:\Program Files\Internet Explorer\iexplore.exe"
After entering that entry into the registry I can simply type “ie” at
the run command to open internet explorer.
Here is a list of some common commands I use at the run command:
cmd – Command prompt winword – Microsoft Word excel – Microsoft Excel
outlook – Microsoft Outlook iexplore – Internet Explorer firefox –
Mozilla Firefox notepad – Notepad compmgmt.msc – Computer Management
Console control appwiz.cpl – Add/Remove programs dialog mstsc –
Microsoft Terminal Service Client regedit – Registry Editor
…
If there is some program that I find myself using all the time I figure out what the run command is for it and if there is not a short easy one I add one to my App Paths as described above. Does anyone else have some other common run commands they use?
I have a VB6 application which links to several POS terminals from a Windows 7 32-bit machine. The POS terminals are mapped to the Windows 7 machine and I can access the POS terminals from the Windows 7 machine from Explorer or via the cmdline/shell.
The application has been updated to ADO 2.8 and all other controls and components I no longer had source code for have been re-written. After a few annoying hiccups, I got the application to recompile on the Windows 7 computer without errors.
Now come the problems. The VB6 application cannot see or navigate to any mapped drives! I have tried twiddling UAC settings; I have set the app to run in Windows XP SP3 mode; I have tried running as Administrator. None of these things (and many permutations of these) work.
Any suggestions on how to make this work?
Adding this registry setting solved the problem for me: http://technet.microsoft.com/en-us/library/ee844140%28v=ws.10%29.aspx.
To work around this problem, configure the EnableLinkedConnections
registry value. This value enables Windows Vista and Windows 7 to
share network connections between the filtered access token and the
full administrator access token for a member of the Administrators
group. After you configure this registry value, LSA checks whether
there is another access token that is associated with the current user
session if a network resource is mapped to an access token. If LSA
determines that there is a linked access token, it adds the network
share to the linked location. To configure the EnableLinkedConnections
registry value
Click Start, type regedit in the Start programs and files box, and
then press ENTER.
Locate and then right-click the registry subkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.
Point to New, and then click DWORD Value.
Type EnableLinkedConnections, and then press ENTER.
Right-click EnableLinkedConnections, and then click Modify.
In the Value data box, type 1, and then click OK.
Exit Registry Editor, and then restart the computer.
I believe you are having trouble because casual drive mapping is per-user, and on a UAC system Administrators group users have two separate contexts (one for each token: SU & elevated).
There is such a thing as a system level drive mapping, which is one done under the System user (NT Authority\System). When you map a drive under this account, and map it persistently, all users can see and use the mapping (subject to the usual access rights for files there).
The normal way you do this is via Domain-level GPOs (Group Policy Objects), which means bribing your local box jockeys if in a corporate managed LAN environment.
One way to do this in a Workgroup machine is to map the letter as System via the AT command, from an elevated command prompt:
at 8:53 am "net use m: \\MediaShare\MyLibrary
ThePW /user:MediaShare\TheUser /persistent:yes > nul"
There the remote server is MediaShare, user TheUser, password ThePW, and 8:53 AM is a minute or two in the future to avoid accidentally scheduling this for tomorrow.
But this fails on Vista and later due to Session 0 Isolation!
So... use the 3rd alternative at Run CMD.exe as Local System Account which is the same thing mentioned by ForcePush's reply to How to map a network drive to be used by a service.
I believe that's what you are after here.
don't know if you ever figured this one out but for me it was the ChDir command (even with the registry fix above).
I had in my code
ChDir "P:\Temp\VidCap\Cam1\" 'I almost never use ChDir
Open "list.txt" For Output As #1
and all the VB6 inbuilt file commands looked straight though any operations, no errors, no nothing. I solved it by explicitly having the path, (in my code it was in a string but you could have it explicitly):
dd = "P:\Temp\VidCap\Cam1\"
Open dd & "list.txt" For Output As #1
works as expected.
hope this helps
H
Try this:
Open command prompt as administrator, and type this in:
net use Z: \\IP Address\share /user:you passwd /persistent:Yes
Change "IP Address", the "share" name, and your username and password as needed.
The author of this is howtogeek (source).
I had same problem. VB6 kept crashing when trying to access USB and mapped drives using the Commondialog method, even though the drives and files were all accessible OK via Explorer. Problem is the drives were not set as shared.
Solved by selecting the connected USB drive in explorer and then right click to
select Properties.
Select Sharing Tab
Select Advanced Sharing
Set the sharing and user rights as needed. May need to have local admin rights.
I want to known who is locking a file on a network share.
Here is the problem : the network share is on a NAS, so I can't log on. I need a tool to find out remotely who is locking the file. It is not practical to reboot the NAS every time, because there are several users.
Handle.exe, Process Explorer and PsFile seems to be limited to files on the local machine, so they don't work for me.
Just in case someone looking for a solution to this for a Windows based system or NAS:
There is a built-in function in Windows that shows you what files on the local computer are open/locked by remote computer (which has the file open through a file share):
Select "Manage Computer" (Open "Computer Management")
click "Shared Folders"
choose "Open Files"
There you can even close the file forcefully.
On Windows 2008 R2 servers you have two means of viewing what files are open and closing those connections.
Via Share and Storage Management
Server Manager > Roles > File Services > Share and Storage Management > right-click on SaSM > Manage Open File
Via OpenFiles
CMD > Openfiles.exe /query /s SERVERNAME
See http://technet.microsoft.com/en-us/library/bb490961.aspx.
PsFile does work on remote machines. If my login account already has access to the remote share, I can just enter:
psfile \\remote-share
(replace "remote-share" with the name of your file server) and it will list every opened document on that share, along with who has it open, and the file ID if I want to force the file closed. For me, this is a really long list, but it can be narrowed down by entering part of a path:
psfile \\remote-share I:\\Human_Resources
This is kind of tricky, since in my case this remote share is mounted as Z: on my local machine, but psfile identifies paths as they are defined on the remote file server, which in my case is I: (yours will be different). I just had to comb through the results of my first psfile run to see some of the paths it returned and then run it again with a partial path to narrow down the results.
Optionally, PsFile will let you specify credentials for the remote share if you need to supply them for access.
Lastly, a little known tip: if someone clicks on a file in Windows Explorer and cuts or copies the file with the intent to paste it somewhere else, that act also places a lock on the file.
If its simply a case of knowing/seeing who is in a file at any particular time (and if you're using windows) just select the file 'view' as 'details', i.e. rather than Thumbnails, tiles or icons etc. Once in 'details' view, by default you will be shown;
- File name
- Size
- Type, and
- Date modified
All you you need to do now is right click anywhere along said toolbar (file name, size, type etc...) and you will be given a list of other options that the toolbar can display.
Select 'Owner' and a new column will show the username of the person using the file or who originally created it if nobody else is using it.
This can be particularly useful when using a shared MS Access database.
The sessions are handled by the NAS device. What you are asking is dependant on the NAS device and nothing to do with windows. You would have to have a look into your NAS firmware to see to what it support. The only other way is sniff the packets and work it out yourself.
Partial answer: With Process Explorer, you can view handles on a network share opened from your machine.
Use the Menu "Find Handle" and then you can type a path like this
\Device\LanmanRedirector\server\share\
sounds like you have the same problem i tried to solve here. in my case, it's a Linux fileserver (running samba, of course), so i can log in and see what process is locking the file; unfortunately, i haven't found how to close it without killing the responsible session. AFAICT, the windows client 'thinks' it's closed; but didn't bother telling the fileserver.
Close the file e:\gestion\yourfile.dat, open by any user (/a *)
openfiles /disconnect /a * /op "e:\gestion\yourfile.dat"
more in:
http://dosprompt.info/commands/openfiles.asp
I am calling CreateFile() to create a file in the Program Data directory. I'm using SHGetSpecialFolderPath() to get the dir name.
I have a user with Vista for whom CreateFile() is returning error 5 (Access Denied). It would help if I knew where CreateFile() was actually attempting to create the file so we can check his folder permissions. The problem with Vista (UAC) is, it's not attempting to create the file in the directory I passed in. It could also be in a VirtualStore directory. An added source of confusion is this user is German and although SHGetSpecialFolderPath() is returning "C:\Program Data\blah blah" as the path, I don't think that's actually where the path is. I think German Vista uses the German word for "Program Data". I would like to be able to tell the user "This is the exact path where we are trying to create the file. Check your permissions on this folder."
I know you can get the a path from an open file handle, but in this case the CreateFile() is failing so I don't have an open handle. How can I get Vista to tell me the actual path where it's attempting to create the file?
Fire up Process Monitor and watch what it does:
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
If with UAC the paths used are not the ones you want, then the redirection is in effect.
To make sure that redirection does not occur, add a manifest to your application which indicates to Vista that your application is properly coded and aware of access restrictions (i.e., you don't write to e.g., HKLM or the programs folder if your app doesn't need admin privileges to run).
But your application should be able to write to the APPDATA folder (if that's what you really use).
Make sure you're using CSIDL_APPDATA and not CSIDL_COMMON_APPDATA (the latter one being accessible only with admin privileges).
To find the real path (the one you would expect) tell the user to type %APPDATA% into the explorer bar (or hit Windows+R, then type %APPDATA%, enter). This will open the explorer on that folder.
My understanding is that ProgramData is used by Vista to write files that were attempting to be written inside C:\Program Files, but failed, since unless you are running the app as Admin you can't write inside program files. Maybe you should try saving your files to the AppData folder under the current user.